Possible leakage with NIP-05
Opened this issue · 0 comments
NIP-05 is used to link a public key with a human readable name, to do this an HTTP request is send to the server who host the well-known file to validate the public key associated with the "username"
Example: https://nostr.ono.re/.well-known/nostr.json
It could be a privacy leak. The proposed solution is to implement an nym-http proxy to give the possibility to the nostr client to query NIP-05 trough the mixnet
Or it could be possible to ask the user they want to see the NIP-05 and explained it can leak their IP
NIP-05 query from nostr client -> nym-client -> mixnet -> nym-client NIP-05 service provider -> http client -> .well-known file on external server
Something that could posed a threat is that the nym-http proxy could alter the data and send modified data back to the nostr client